Yesterday I published details of the Internet Commerce Association’s position paper and analysis of a bill known as The Anti-Phishing Consumer Protection Act of 2008, introduced into the US Senate in late February. The bill was introduced by Democratic Sen. Bill Nelson (Fla.) and Republicans Olympia Snowe (Wash.) and Ted Stevens (Alaska). The bill contains “31 pages of new regulations that could raise the cost of doing business for legitimate companies–but will do little to stop the malcontents behind phishing attacks,” writes Declan McCullagh in CNet.However the bill is not needed. And do you remember Ted Stevens? He’s the one who referred to the internet as a “series of tubes”. Hear the audio of this on YouTube at youtube.com/watch?v=f99PcP0aFNE. It is rather incoherent. Probably much the same as this legislation! Poor Ted refers to having been sent the internet by a member of staff! His staff must be pretty clever.Anyway, back to the legislation. Declan reminds us phishing is already a crime. He notes “at least seven states have enacted antiphishing legislation, and companies including Microsoft and Amazon.com have used those laws to target Internet scammers. Plus, fraud has been prohibited for hundreds of years at common law. In short, there’s no obvious lack of laws prohibiting fraud in the form of phishing attacks.”Declan then goes on to say:
If their bill merely duplicated existing criminal laws, it would be more redundant than worrisome. Except that one section is actively harmful to the privacy of Americans who own domain names and want to protect their privacy. The bill says:
It is unlawful for the registrant of a domain name used in any commercial activity to register such domain name in any Whois database with false or misleading identifying information, including the registrant’s name, physical address, telephone number, facsimile number, or electronic mail address.It is unlawful for a domain name registrar…to shield, mask, block or otherwise restrict access to, any domain name registrant’s name, physical address, telephone number, facsimile number, or electronic mail address, or other identifying information in any Whois database…if such registrar…has received written notice, including via facsimile or electronic mail at such entity’s facsimile number or electronic mail address of record, that the use of such domain name is in any violation of any provision of this Act.So let’s get this right. Those folks who, reasonably, prefer not to give their actual physical address and telephone number when registering a domain name for themselves or their family are now going to be violating federal law. (Here’s something I wrote on Whois privacy in 2004.)There are some pretty hefty penalties in the legislation, which defines “phishing” as a deceptive practice under the Federal Trade Commission Act, and creates multiple enforcement mechanisms by providing strong civil and criminal penalties against phishers, including:
- $250 per violation up to $2,000,000 for state-initiated civil actions, which may be tripled if the violations were committed willfully and knowingly;
- allowing interactive computer services (including ISPs) and trademark owners to sue in federal court for actual and punitive damages;
- a fine and up to 5 years imprisonment for fraudulently displaying a website seeking to obtain personal information; and
- a fine and up to 5 years imprisonment for sending e-mails that falsely or deceptively represent the sender, and that seek to obtain personal information.
The legislation empowers various federal agencies to enforce the Act, because many phishers attempt to represent themselves as government agencies or regulated entities. For example, the Federal Deposit Insurance Corporation (FDIC) may enforce offences against banks insured by the FDIC, while the Securities and Exchange Commission (SEC) may enforce offenses with respect to brokers and the stock market.To read all of Declan’s story, go to www.news.com/8301-13578_3-9879859-38.html. The legislation is available at commerce.senate.gov/public/_files/SnoweStevensAntiPhishing.pdf while a news release announcing the legislation is at commerce.senate.gov/public/index.cfm?FuseAction=PressReleases.Detail&PressRelease_id=249069.